It’s not only in the digital world where these dangers lurk, though. A credit union’s largest “branch,” its call center, is prone to attack, too.
“Fraudsters often leverage social engineering and phishing tactics to try to fool member services teams in an attempt to take over a member’s account,” the Patelco chief risk officer says. “Then, once the account has been compromised, funds can be taken through digital channels.”
Indeed, fraudsters will work to exploit weaknesses in any channel into the credit union. That’s why Patelco has its eye on the venerable ATM.
“Skimming devices is another big focus,” Allen says. “There’s been an uptick as they’ve become increasingly difficult to detect. They’re often placed inside the ATM, where they’re not readily visible to legitimate users.”
Allen suggests a two-step approach to protect the enterprise during new member account openings that include a loan:
Implement a tiered lending strategy with enhanced underwriting for higher dollar or higher risk applicants. Continue automated approvals for applications that fall under a certain dollar limit and in other lower-risk categories.
Screen lending applicants through a debit bureau to establish a primary bank account before decisioning the loan application. Debit bureaus — ChexSystems, for example — collect and report information on bank accounts, such as checking and savings. “A debit bureau knows when consumers write bad checks,” Allen says.
Allen also offers three pieces of advice to improve security at the call center.
Implement an automated call screening and authentication system that engages the caller before reaching a live agent.
If there is no pre-authentication, require member service intervention on select service offerings, such as no funds transfer or PIN set and reset.
Enhance controls for digital product enrollment. At Patelco, members must be set up to receive either an email or text alert for account activity.
And as for ATMs, the big California credit union has installed skimmer-proof card readers.
Nagendra Sastry, Vice President of Decision Analytics, EXL
The payments card space is a major area of concern for credit unions in 2019, says Nagendra Sastry, vice president of decision analytics at EXL in Ahmedabad, India. He broadly divides the fraud risk into two categories: first party and third party.
First party is characterized by someone who opens an account or increases a credit line with no intent to pay and goes straight to charge-off. Third party is counterfeit fraud, where someone uses personal information to open a fraudulent account or copy a card. Card-not-present fraud — an emerging threat that Juniper Research predicts will cost retailers $130 billion worldwide between 2018 and 2023 — falls into this category.
Another emerging threat is the synthetic ID in which a fraudster combines real and fabricated information to create an identity and then open a fraudulent account. In a 2018 report titled Synthetic ID Fraud: The Elephant in the Room, Aite Group analysts say this type of fraud is particularly hard to detect and that its use is growing quickly.
Sastry at EXL, meanwhile, notes that every type of fraud has its own risk level based on the liability exposure to the credit union and that each requires different mechanisms for mitigating those risks.
With Callahan online seminars, 30 minutes is all you need to learn from the tried-and-true practices of industry peers. Check out Callahan’s upcoming webinars.
Along with ensuring the use of chip cards, Sastry says analyzing authorization rules and payer authentication are two ways to mitigate card payments risk.
Analyzing authorization rules, including looking at the no-decline status accorded to wealthy cardholders and frequent travelers, is a great place to start, Sastry says.
“As spear phishing attacks against wealthy individuals become more prevalent, this all-too-common strategy is becoming increasingly risky,” Sastry says. “If not managed properly, it can result in significant losses for the cooperative.”
The EXL vice president suggests applying data analytics that can reduce the complexity of authorization rules while deterring fraud and encouraging higher spend because there’ll be fewer declines.
But Sastry says that one of the easiest ways credit unions can prevent card-not-present and account takeover fraud is to use the 3D security protocol offered as Verified by Visa and MasterCard SecureCode.
“When employed, payment authorization is complete by using an additional password known only to the cardholder and provides assurance that the card owner is performing the transaction,” Sastry says.
John Buzzard, Fraud Control Specialist, CO-OP Financial Services
Although digital advances open new channels for fraudsters, credit unions have little choice but to keep up if they want to remain relevant — and in business. Fortunately, credit unions can also use those same channels to help deal with fraud. Text and email alerts and card controls are examples given by John Buzzard, fraud control specialist at CO-OP Financial Services in Rancho Cucamonga, CA. Credit unions can also use the various “Pays” to offer both convenience and protection.
“Educating members on the benefits of using safer payment methods like tokenized payments can reduce fraud, provided your credit union has an offering in place like Apple, Samsung, or a similar Pay product,” Buzzard says. “If you don’t have an offering in place for tokenized forms of payment, you can make this a part of your digital strategy plan for 2019.”
Jim Vilker, Vice President Professional Services/Audit Link, CU*Answers
Core processors are the primary technology provider to most credit unions and often the first resource they turn to for help protecting the enterprise.
Jim Vilker, vice president of professional services for Audit Link at CU*Answers in Grand Rapids, MI, says his client base is seeing the effects of the large data breaches of the past three years, including at Equifax, as personal information shows up for sale on the dark web.
“By far, the largest fraud threats are related to identity theft and account takeover,” he says.
Vilker says he’s seeing increased vigilance and a growing interest in fraud prevention strategies among the more than 250 credit unions that run on the CU*BASE platform. His threat mitigation advice includes:
Managing daily limits allowed through third-party channels such as home banking and bill payment systems.
Reviewing changes made by members through these channels. “We know criminals will attempt to change personal information prior to stealing the money in an effort to stop any type of automated alerts that would go to the member,” Vilker says.
Understanding all the ways money leaves the credit union — including wire transfers, P2P, A2A, and loans — and elevating monitoring and authentication of those channels.
The relatively smaller size of credit unions doesn’t make them immune from attacks. With the proliferation of automated attacks, even the smallest are now worth the time to target. Of course, that presents a challenge.
“Small credit unions don’t have the manpower to independently handle these technological challenges on their own,” says Mike Shiner, chief technology officer at FedComp, the suburban Virginia provider of core processing to approximately 600 of the nation’s smaller credit unions. “So, choosing the right partner to assist with that aspect is essential.”
Be Prepared. Then Prepare Some More.
3 To-Dos From FS-ISAC
Heather McCalman, credit union council manager for the Financial Services Information Sharing and Analysis Center, recommends three ways credit unions should step up cybersecurity for 2019 and beyond.
Secure and lockdown the Internet of Things (IoT).
Practice incident response plans, business continuity plans, and disaster recovery plans.
Encourage cybersecurity staff to communicate with other institutions’ staff to share operational knowledge and threat intelligence.
Buzzard at CO-OP recommends every credit union document names, contact information, and procedures for handling and reporting fraud across multiple business partners, including card brand, payment processing, and risk mitigation vendors.
“This knowledge often lives inside the heads of seasoned employees, but it’s often not documented as part of a strong business continuity plan,” the CO-OP fraud specialist says. “When contacts change, the credit union should also edit the contract document and share it with everyone.”
Credit unions also need to address internal transitions, and succession plans need to go beyond C-suite changes.
“It’s essential you have a succession plan in place for fraud and risk areas, no matter how small your credit union is,” Buzzard says. “Cross-train and document everything to maintain a sense of stability as roles transition from one person to another.”
Buzzard recommends credit unions document and train every six to 12 months. Learning and continuing education for multiple stakeholders should also occur regularly to help maintain a “high-functioning fraud prevention operation.”
Quarterly lunch-and-learns on trends and threats are a good way to do that, the CO-OP fraud specialist notes, adding that his company offers pre-recorded training modules for use on demand.
But even with the right people, processes, documentation, and training in place, fraudsters find vulnerabilities.
“The weakest link will always be the people,” says Shiner at FedComp. “Criminals rely on the kindness of strangers to circumvent even the best security systems. The best ways to mitigate these attacks is by training and educating your staff because they’re often your first line of defense.”
Corey Skadburg, chief operating officer at BrightWise, the cybersecurity training and solutions arm of the Iowa Credit Union League’s Affiliates Management Company, agrees.
Corey Skadburg, Chief Operating Officer, BrightWise
“Cyber criminals are becoming increasingly shady, attacking financial institutions through their employees and their members,” he says.
Credit unions need to prepare employees for potential attacks by ensuring quick response plans are in place and providing awareness education about the morphing threat landscape.
For example, Skadburg says, “Employees might be well versed in how to recognize a phishing email, but do they know how to recognize a vishing call?”
Then there are the members themselves. Skadburg says credit unions should have a member awareness program that includes how the credit union will contact members regarding their accounts, what information they will or will not request via phone or email, good password security habits, and two-factor authentication for online banking.
“We recommend every credit union assess its internal cybersecurity programs and responses and ensure the credit union is protected against this very real threat in 2019,” Skadburg says.
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.